Enabling Principal Propagation from client application(HTML5) to backend via SAP Cloud Platform API Management using OAuth
“Principal Propagation”, it is commonly understood as the ability of a system to securely forward
or propagate the authenticated user (principal) from a sender to a receiver in a way that the forwarded user information is kept confidential and – even more important – cannot be changed during transit.
One of the ways for Enabling Principal Propagation is through OAuth.
In this blog, we will see how to enable OAuth configuration, create a destination, assign the destination to the client application and propagate the authenticated user (principal) from a client application(HTML5) to a backend system through SAP Cloud Platform API Management.
Let’s get started!
Creating an OAuth Client
OAuth client is needed to get an access token for the OAuth-protected resources in the application.
In the cloud cockpit, navigate to the subaccount, select OAuth, click on clients and then select “Register a new client”.
Fill in the following details, click on confidential, give the client secret and Save it.
Note: In this scenario, my HTML5 application and Apiportal application are on the same sub-account so trust configuration between accounts is not needed
Configuration on SAP Cloud Connector for On-Premise connectivity
For this scenario, I will be using AP2 SAP Gateway system as a backend
Downloading and configuring cloud connector refer
https://blogs.sap.com/2015/02/11/set-up-your-sap-web-ide-on-hana-cloud-part-2/
Type https://localhost:**** on your browser following screen should come up
Enter Username and password to log in as Admin
Click on Add Account to add an account
Fill in the appropriate details as shown below for your account
Under Account Dashboard; Account should be added
As I have added my hanatrial account as host so my hanatrial account should be added as shown below
Now we will be adding the On-Prem system for eg ER9 (S/4 HANA system)
Click on Cloud To On-Premise
Add Backend System as SAP Gateway and Click Next
Select Protocol as HTTPS and click Next
Add host and port of Backend System and click Next
In Virtual Host and port don’t put the same name and port as above
Select Principle Type as X509 Certificate and Click Next
Check the summary, select internal host checkbox and select Finish
The system should get added
Click on Add button under Resources Accessible to add URL path as”/” this is to consider all the resources after “/”
With this, we have configured our backend system in Cloud Connector
Configuration on the SAP Backend (SAP Gateway) Side
Note: – This configuration can be skipped if SAML has been already activated in the SAP Gateway.
Please refer blog under section “Configuration on the SAP Backend (SAP Gateway) Side” for configuring SAP backend.
Create an API Provider to SAP Gateway System
Login to your SAP Cloud Platform account (say https://account.hanatrial.ondemand.com/cockpit).
Navigate to the Services tab, search for API Management service tile and click to open API Management service.
Click on the link Access API Portal to open API Portal.
Navigate to API Provider and click on Create
Give a name lets say “AP2” in this case as we are connecting AP2 backend
Navigate to CONNECTIONS tab and fill the details
Create an API Proxy to connect to SAP Gateway
Navigate to develop and click on create
Fill in the following details and Save and click on Create
Save and Deploy
Copy API Proxy URL and save it in a notepad as it will be used in the destination
Creating Destination on the subaccount
Navigate to the cockpit and from left hand-side select Destinations and click on New Destination
Fill in all the fields
Save the created destination.
Testing the Flow from HTML5 Application
In this blog, the pre-requisite is that HTML5 application is already created and deployed on the same subaccount where we have the API portal subscription and therefore I will not be showing you how to create an HTML5 application.
From the left-hand-side navigate to HTML5 Application and make sure your application is in the started state.
Click on the application and Under required destinations fill in the following details and select the destination created above.
Now copy the application URL.
Append the URL with URL/APIMgmtEndPoint/< API Proxy name>
Hit the above URL in the browser and without giving user and password, user principal will be propagated to the backend via API Management and you should get the response
Further Reads
- Enhanced features of SAP Cloud Platform API Management
- Monitoring and Governing 3rd Party APIs
- API Security Best Practices
- Accelerate digital application development
- For more blogs on SAP Cloud Platform, API Management visit us at SAP Community
- Single Sign-On
Great work Shilpa. Thanks for sharing. This opens up more possibilities and would enable us to build UIs which leverage APIs exposed via APIM.
Thanks Murali!
Great information, thanks a lot Shilpa. By the way, do you know if there are plans for SAP Gateway to support also Token Introspection, https://oauth.net/2/token-introspection/
Great Tutorial:
Two questions for this approach:
Thank you!
Tino
Hello Tino,
Thank for your kind words!
Answer to your questions
Regards
Shilpa